The revelations about the scale of NSA snooping on everyone’s information and communications and storing that information to be used against you has spawned interest in how to combat it.
The Electronic Frontier Foundation has published a list of ten steps that anyone can take that will make their computer data more secure. To be honest, even though I have been writing about these things, the only precautions I take are #7 and #8 in the list. I have been thinking of using PGP encryption but when I look into it, there seem to be a lot of options and I am not sure which ones are safe and secure to use. Can readers recommend a good source for the PGP software plus a good tutorial on how to use it? And for any of the other recommendations on the list too.
Meanwhile, Cory Doctorow writes of several clever ways to combat the government. Consider the infamous National Security Letters that not only demand that you hand over any information you have in your position to the FBI but forbids you from telling anyone that you were asked to do so, even your lawyer or the person about whom information was requested, under the threat of severe punishment.
Librarians (a group of people whom I greatly admire) were among the first groups to raise the alarm and protest the NSLs because the government could demand that they hand over library patron information and prohibit them from telling the patron what information had been asked for or even that their records had been snooped on. Librarians felt that this violated the trust they had with patrons and was a violation of their ethics. Of course, the government has little concern about ethics in their drive to acquire people’s private information.
But according to Doctorow, one librarian had an idea.
Jessamyn West, a radical librarian, conceived of a brilliant solution, a sign on the wall of her library reading “THE FBI HAS NOT BEEN HERE (watch very closely for the removal of this sign).” After all, she reasoned, if the law prohibited her from telling people that the FBI had been in, that wasn’t the same as her not not telling people the FBI hadn’t been in, right?
Doctorow says that this gave him an idea for a system modeled on the ‘dead man’s switch’, where it is the absence of an action that triggers the alarm.
This gave me an idea for a more general service: a dead man’s switch to help fight back in the war on security. This service would allow you to register a URL by requesting a message from it, appending your own public key to it and posting it to that URL.
Once you’re registered, you tell the dead man’s switch how often you plan on notifying it that you have not received a secret order, expressed in hours. Thereafter, the service sits there, quietly sending a random number to you at your specified interval, which you sign and send back as a “No secret orders yet” message. If you miss an update, it publishes that fact to an RSS feed.
Such a service would lend itself to lots of interesting applications. Muck-raking journalists could subscribe to the raw feed, looking for the names of prominent services that had missed their nothing-to-see-here deadlines. Security-minded toolsmiths could provide programmes that looked through your browser history and compared it with the URLs registered with the service and alert you if any of the sites you visit ever show up in the list of possibly-compromised sites.
This would make for an interesting legal case. Could someone be prosecuted for setting up such a system and thus alerting, by inaction, that they received a national security letter? Because if you set up such a system and do receive such a letter, then the only way to prevent that fact from becoming known is to tell a falsehood, that you had not received a letter. It is one thing for the government to tell someone that they cannot reveal a truth. But can the government compel you to tell a lie in order to be compliant with the law?
Doesn’t the existing law already require this, in the event that someone asks the recipient of a National Security Letter whether they have received one?
I very much doubt that this sort of rules-lawyering is likely to be effective anyway. We’re talking about an institution that assassinates people on flimsy pretexts with no legal process, they’re not going to let anyone get away with this sort of I’m-sort-of-techincally-just-within-the-letter-of-the-law shenanigans if they don’t want to. They write the laws.
I doubt it would ever be a legal case.
1. The government is on thin ice legally with their misnamed Patriot Act rules. The constitution hasn’t been repealed.
2. I’m sure they don’t want it tested in the court system.
3. The government exists by the consent of the governed. And they know it. If too many people stop cooperating, their isn’t anything they can do about it. That is why the USSR collapsed. To take one example, the IRS depends on people volunarily paying their taxes. If too many people stopped or started misreporting, there isn’t much they could do. They don’t have the resources to check on 317 million people.
My local librarians had a solution to the NSA requirements.
They just told everyone what the law was. And then said they don’t keep patron’s borrowing history. It’s just gone in a few weeks. You can set your account up to store that information but you have to do it yourself.
Using a haphazard collection of available tools won’t help you much. Encrypting a session is useless, if the data is then stored insecurely. Encrypting only the sensitive messages leaks information, because the pattern of encrypted sessions reveals a lot of “metadata”. Basically you should encrypt also piles of useless dirt to hide the really important messages.
You need a system view of things. It begins by defining a threat model.
-- Who are your enemies?
-- What resources do they have?
-- How long is your secret data relevant to your enemies?
-- Will protection cost more than what your data is worth?
And that’s just the beginning. Only when you have your threat model, you can start thinking about countermeasures. It’s a bit like mathematics: you need a set of axioms before you can derive clauses.
A private person doen’t have all the competense that is needed. Someone like the EFF should start an open project to define a few good threat models and use cases for the hoi polloi.
A better test case would be: if someone gets a NSL, then they talk to their lawyer. ‘Course, you’ll have to expect trouble as this is tested in court, but I can’t imaging that this wouldn’t get struck down. I mean, seriously, they really think that forbidding people from getting legal advice is going to fly? In a judicial system dominated by lawyers?
Even if we assume that NSLs are constitutional and are even ethically acceptable, there still needs to be an independent mechanism for determining whether this one particular NSL is valid according to the accepted law and guidelines and procedures.
But then, our leaders don’t seem to show much respect for the notion of “rule of law.”
You’re absolutely right — the government does not want any of this challenged in a court because it is clearly unconstitutional. The “legal” basis for all of this relies on legal memos and executive orders, all kept secret from the public and congress, save for the few that will play ball (DiFi, Rogers, etc). The government goes out of it’s way to make sure you or I cannot challenge any of this in court, and one of the most effective ways of doing that is arguing that people have no standing to challenge it. They argue we have no standing because we cannot prove we were actually harmed by any of this, and it can’t be proven because they keep it secret.
That’s why there is real panic in the IC over the dozen or so cases that ARE going through the courts. SCOTUS just declined to hear the case brought by EPIC, but there are about 10 or 12 other cases making their way through right now. And the DOJ is starting to notify some defendants that they were spied on, something they were REQUIRED to do, but are only now doing it (they claimed there was a miscommunication :] ). Remember that a huge part of their case they argued in front of the supreme court RELIED on the fact that they would share this information.
Doctorow wrote earlier about what he then called a “warrant canary” sentence in Apple’s Transparency Report:
http://boingboing.net/2013/11/05/apple-hides-a-patriot-act-bust.html
The sentence is, “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge an order if served on us.” If it is removed in a subsequent report…
Dr. Singham,
I believe that you are in a unique position to significantly contribute with number 10 on that list. We all should do it, but persons such as yourself with relative influence make all the difference. I think you do a good job already through your blog, and I bet you could have even more reach through your university. Regardless, I’d add #10 to your #7 and #8 :]
#4 is an easy one to implement too. The best password is something like a phrase of random words that you can remember easily. JeanJacketsTimothysBangs -- great password and also a pretty funny joke too 😛
Thank you, that was really useful to me in terms of thinking about the problem. I’ve done reasonably well in being private, but I’m becoming more careful about it as I go along, as a feminist and queer activist who travels into the US to visit family occasionally.
Anyway, thanks.
The system I use for passwords works beautifully for me, and I share it when it’s appropriate.
I use sentences. Sentences that only mean anything to me, like (none of these examples apply):
My Mum lives @ 26 Elm Street
So the password then is MMl@26ES.
Obviously, that’s not a great one, because your mother’s address is reasonably available to the dedicated attacker. But I have about 20 of these things, and each of them is about something only I know, and they’re relatively easy for me to remember, because I can use the natural comfortable memory patterns of storing our own biographies mentally as a mnemonic.
Thanks for the links to the 10 things. I’m happy to say I already routinely use 8 of them; I’ve not bothered with encryption because I a) don’t send anything by e-mail that I wouldn’t already be okay with people knowing, because e-mail is postcards with infinite carbons, not letters; and b) if I talk about anything remotely improper in my e-mail, it is ALWAYS in an idiosyncratic and ever-changing argot developed between me and my partner, the only person I might consider talking to in e-mail about anything remotely important. I’m not putting here how I identify the context in which that argot should be read.
I know there’s a file on me, because I’ve had a security clearance, and because I used to regularly go to the Soviet embassy in Ottawa, and because they checked out anyone learning Russian in uni in those days, and because I’ve been nicked a few times in demos and rallies. So, I just…think a bit, and have been since long before I was on the Internet.
Your password technique is clever, but unfortunately does not generate a strong one.
http://imgs.xkcd.com/comics/password_strength.png
I don’t see anything there that invalidates it; in fact, it was Schneier who introduced me to the idea. The XKCD four-words version is no longer seen as all that useful, given the increasing strength of dictionary + common variants attacks when run on massive clusters hashing madly.
Another extra layer I can put on is to make the sentence not in English, and then type it using the soft-keyboard for that language, while making the password itself in Latin characters.
The point is to make something which has all the advantages of being random, as there are WAY too many biographical sentences I can make up and remember even leaving aside things that other people know about, but which is also memorable. And they can run as long as a sentence I can remember.
None of my passwords has ever been successfully stolen, despite my having had accounts at a few places that have been hacked and stored their passwords poorly. Mine don’t have to be perfect; like running from zombies, mine only has to be better than yours. It’s pretty rare for mass attack to get more than 90% or so, even of unsalted badly-encrypted files; I’m only aiming to be in that 10%, not the 0.01%. 🙂
Right on :] And hey, if Bruce Schneier backs it, even better. I stand corrected.
Good point about being in the 10% too.
A system I have used since the 1980s is geometrical patterns on the keyboard. A slightly more involved method that I have used is to change a few system parameters so that the use of the backspace key is mandatory. Really messes with those pesky over the shoulder crackers as well as keyboard loggers. Not so much help with deep hooks into the o/s .
The backspace key is your friend against shoulder surfers. They will loose their sync, when you backspace once or twice while typing the password.
Just a reminder: a complex way to generate a password can make you deel secure, but it doesn’t guarantee a complex password. The attacker doesn’t have to jump through the same hoops.
Absolutely. What I aim at is to have a string of alpha (+ symbols as required) that is essentially random to the outside, but which is effectively nonrandom to me. If done right (and crossing languages/keyboards really does make a big difference; fortunately, I speak several non-English, and a couple of non-Latin alphabet, languages), you get a string that is secure from dictionary attacks entirely because it uses no words, and with a language cross you don’t even get a statistical frequency attack of any value on the word-initial glyphs.
I’m not saying it’s the best or only system for getting a good password. I’m only meaning to offer a system which can give a password of a fairly secure kind (compared to the usual qwerty123 and Lorraine69 that are cracked in seconds), which is relatively memorable and yet as private as you choose it to be. I even have a paper copy of password mnemonic spurs, a word or two referring to the event used for the password in question. And even those I put in another language yet. 😀
Ideally, all my passwords would be as long as the input allows, and served up completely randomly, yes, for sure. I know this. 🙂 But I do like the system I’ve described because it has user factors which make it easier for ordinary folk to use, while retaining the pseudo-randomness even without language-crossing.
Also, it reminds me of a great little cipher that I found in a book when I was a kid, taking a phrase which is known only to you and the recipient, and adding it as number-values to the number-ciphered text:
Pseudoversion:All that glitters is not gold
Meet me at the bridge at midnight stop
Break into groups of five, and fill with random any group under five in the message to be ciphered:
allth atgli tters isnot golda lltha tglit tersi snotg old
meetm eatth ebrid geatm idnig htsto pmglk
cipher as numbers:
_20.5.18.19.9_19.14.15.20.7_19.12.4
1.12.12.20.8_1.20.7.12.9_20.20.5.18.19_9.19.14.15.20_7.19.12.4.1_12.12.20.8.1_20.7.12.9.20
13.5.5.20.13_5.1.20.20.8_5.2.18.9.4_7.5.1.20.13_9.4.14.9.7_8.20.19.20.15_16.13.7.12.11
Add line 1 to line 2, then render as letters, numbers over 26 wrapping to 1 again:
14.17.17.14.21_6.21.1.6.17_25.22.23.1.23_16.24.15.9.7_16.23.26.13.8_20.6.13.2.16_10.20.19.6.5
Final cipher:
nqqnu fuafq yvwaw pxoig pwzmh thmbp jtsfe
The longer and less known the phrase, the better; again, crossing languages in the ciphering step is a big help in defeating statistical frequency attacks.
/lolgeekery (I used to be a big fan of ciphers and stuff when I was a kid, and then I went into communications when I served in the military…:D)
Oh, sorry, that didn’t go well -- I didn’t realize the ‘code’ tag was auto-closed on each line. 🙁 I should have realized, I expect the editor adds a ‘p’ whenever I hit Enter. sigh. Everything between the two code lines should have been code, would have made things line up and be legible.
Crap, just noticed I left a bit of detritus there too:
_20.5.18.19.9_19.14.15.20.7_19.12.4
Should be deleted, it was leftover from the passphrase repetition.